✏️Note: In this document, we use Azure Active Directory (AAD) to illustrate the process, but Aidi is also compatible with the OpenID Connect protocol (OIDC).
Azure AD Integration with Aidi
Azure Active Directory Authentication Registration Process
Adding Optional Claims for Aidi SSO Integration
Azure AD Iintegration with Aidi
What is Azure AD used for?
Aidi uses Microsoft Azure Active Directory (AAD) for identity and access management to enable you to identify yourself securely in the application. In this way, a user in your organization will be able to log in using the same credentials as his or her email or workstation, for example, via the single sign-on (SSO) process.
✏️Note: It is possible to synchronize your Active Directory with Azure Active Directory using Microsoft’s Azure AD Connect tool. For more information, see Microsoft Entra Connect Sync: Understand and customize synchronization | Microsoft Docs
Identification Process
From the user’s standpoint, authentication is very simple. On the Aidi home page, the user simply selects the Login with your organization’s credentials option.
A Microsoft login window will then be displayed.
If authentication is successful, the user will have access to the assigned resources, otherwise an error message will be displayed. If an access profile is not assigned to the new user by the Aidi admin, then the user will be able to authenticate to Aidi, but won’t have access to any pages.
Configuration of Azure Active Directory
To begin the integration, the Aidi application must be registered in your Microsoft account in order to establish a relationship of trust with your identity platform. One of the following administrator roles is required:
● Application Administrator
● Application developer
● Cloud application administrator
Once the application has been created, a Reply URL must be added. This URL is where the Microsoft Identity Platform redirects a user’s client and sends security tokens after authentication. To complete the configuration, access must be granted to the Aidi API. These accesses specify what information the application will have about your organization’s users. In addition, we strongly recommend granting administrators consent to Aidi.io to avoid users having to manually approve the reading of their email address and profile details.
Azure Active Directory Authentication Registration Process
- Navigate to portal.azure.com and search for the Azure Active Directory service.
- On the Azure Active Directory service page for your organization, navigate to App registrations.
- Select New registration.
- Enter the Name for the new registration, ‘’Aidi’’ is recommended.
- Then select the first option within Supported Account Types. This will create a single tenant application, meaning the application will only be visible to your organization.
- Leave the Redirect URI field empty.
- Press Register
You will be redirected to the application screen.
- Take note of the Application (client) ID and Directory (tenant) ID and forward them to the Aidi implementation manager you are working with.
- Once you’ve written the IDs down, navigate to Add a Redirect URI.
- Select Add a platform.
- On the right side of the screen, you will see a tray open, select Single-page Application.
- Enter one of the URIs you’ve been provided by your implementation manager under Redirect URIs.
- Leave the Front-channel logout URL blank.
- Check both checkboxes underneath Implicit grand and hybrid flows.
- Click the Configure button at the bottom of the page.
You will have to repeat this process for every URI you’ve been issued by the Aidi team. The URIs will typically be in the format https : //<organization>.aidi.io/user/login/.
- You should now have the list of URIs available at the top of the page.
- Make sure both checkboxes under the Implicit grand and hybrid flows section are checked.
- Select Single Tenant under the Supported account types section.
- Select Yes in the Allow public client flows section.
- Click Save at the top of the page.
The last step is now to add the missing permissions.
- Navigate to API Permissions on the left side of the screen.
- Once on the page, select Add a permission. You should see a tray open up.
- In the tray, select Delegated Permissions.
- Underneath Select Permissions you should find an email permission, check it.
- Click the Add permissions button at the bottom of the page.
You may choose to grant consent to the application as an administrator. This will prevent each user in your organization from having to grant consent. This last step is optional.
- If you wish to do so, simply click Grant admin consent for aidi.io.
This completes the configuration to be done on the client side. With the Application (client) ID and Directory (tenant) ID provided, Aidi will finish the implementation of this integration. Your implementation manager will advise you when the integration will be activated. Once activated, you can ask a few users with access to Aidi to confirm the integration is operational.
Adding optional claims for Aidi SSO Integrations (optional)
✏️Note: You can also configure the optional claims if the family_name and given_name are populated on your side. This allows to have a clear input of the first_name and last_name in Aidi when the user is created.
Adding the claims family_name and given_name in the token will allow the backend to extract the first name and last name set out in the user’s profile by decoding the token. To add these claims, follow these steps in Azure:
- Go to App registrations page.
- Select the application created in the previous section of this document.
- In the Manage section, select Token configuration.
- Under the Optional claims section, click on Add optional claim to add the given_name and family_name claims.
- Select the ID for the Token type.
Comments
0 comments
Please sign in to leave a comment.